Adobe has released out-of-band security updates for Reader and Acrobat, closing two security holes that attackers have been actively exploiting

Adobe Systems pushed out emergency updates on 20 February to quell attacks targeting Reader and Acrobat on Windows.

The updates patch two vulnerabilities – CVE-2013-0640 and CVE-2013-0641 – that can be exploited to allow an attacker to hijack a vulnerable system.

Active exploits

According to Adobe, both bugs are being exploited in targeted attacks that try to trick Windows users into clicking on a malicious PDF file delivered to them by email. The vulnerabilities themselves, however, impact both Windows and Mac users.

“Adobe recommends users apply the updates for their product installations,” the company said in an advisory, describing the vulnerabilities as critical.

The patch follows a warning from security firm FireEye last week that attackers were launching malicious PDFs at Windows users in a zero-day attack.

According to FireEye, when the vulnerability was successfully exploited, it would deploy two Dynamic Link Library (DLL) files. The first would show a fake error message and open a decoy PDF document. The second file deployed a callback component that talked to a remote Internet domain.

The attackers were able to bypass the Adobe Reader sandbox, FireEye’s senior director of security researcher, Zheng Bu, said last week.

“The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques,” FireEye researchers noted in a blog post on 13 February. “Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader … and it creates the appropriate shellcode based on the version found.

“The payload involved in this exploit ultimately installs what appears to be a first-stage downloader in the form of a DLL posing as a “language bar add-in,” using the registry key “HKCU\Software\Microsoft\CTF\LangBarAddIn” to persist after reboot,” the FireEye team continued. “It further attempts to legitimise this disguise in its file properties.”

Flash patch

This is not the first out-of-band patch this month for Adobe, which said last year it was aligning its patch releases with Microsoft’s Patch Tuesday.

Earlier this month, the company issued updates for critical vulnerabilities impacting Flash Player that, if exploited, could enable an attacker to hijack a vulnerable system. The company also issued another update to address vulnerabilities in both Flash Player and Shockwave Player.

Adobe, however, has also tried to make strides in terms of its security in recent years, revamping not only its patch release cycle but also its development procedures. Still, that hasn’t stopped Reader from being a popular target among criminal hackers.

“Adobe Reader is ubiquitous; it’s almost as important to patch as the Microsoft operating system patches, in some cases more so,” said Ross Barrett, senior manager of security engineering at Rapid7. “With Microsoft you can choose not to use Internet Explorer, but until today, you were likely using Adobe Reader with IE, Chrome or Firefox. I say until today because Firefox 19 just came out with its own, built-in, non-Adobe PDF reader.”

Switching to another PDF reader, however, may only provide a semblance of relief from attacks in the long run, said Alex Horan, senior product manager at Core Security. “Of course if everyone switches to Foxit, then so would the attackers,” he said. “But the one-time cost of switching your users to Foxit must be less than the ongoing cost of applying updates to Adobe Reader and the zero-day risk it constantly presents.”